From db1bb95ab2fbc1155413d052cf0af6ffa9628384 Mon Sep 17 00:00:00 2001
From: "Dmitriy A. Gerasimov" <dmitriy.gerasimov@demlabs.net>
Date: Thu, 24 Dec 2020 21:24:25 +0700
Subject: [PATCH] [*] Added token datum size check to prevent out of bounds in
signature verify
---
CMakeLists.txt | 2 +-
modules/chain/dap_chain_ledger.c | 13 +++++++------
modules/common/dap_chain_datum_token.c | 12 +++++++++---
3 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 984e0b3e83..ca352ff55f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -2,7 +2,7 @@ project(cellframe-sdk C)
cmake_minimum_required(VERSION 2.8)
set(CMAKE_C_STANDARD 11)
-set(CELLFRAME_SDK_NATIVE_VERSION "2.6-92")
+set(CELLFRAME_SDK_NATIVE_VERSION "2.6-93")
add_definitions ("-DCELLFRAME_SDK_VERSION=\"${CELLFRAME_SDK_NATIVE_VERSION}\"")
set(DAPSDK_MODULES "")
diff --git a/modules/chain/dap_chain_ledger.c b/modules/chain/dap_chain_ledger.c
index c131dd4f3a..170989f5b4 100644
--- a/modules/chain/dap_chain_ledger.c
+++ b/modules/chain/dap_chain_ledger.c
@@ -339,14 +339,15 @@ int dap_chain_ledger_token_add(dap_ledger_t * a_ledger, dap_chain_datum_token_t
l_token_item->auth_signs= dap_chain_datum_token_simple_signs_parse(a_token,a_token_size,
&l_token_item->auth_signs_total,
&l_token_item->auth_signs_valid );
- if(l_token_item->auth_signs_total)
+ if(l_token_item->auth_signs_total){
l_token_item->auth_signs_pkey_hash = DAP_NEW_Z_SIZE(dap_chain_hash_fast_t,sizeof (dap_chain_hash_fast_t)* l_token_item->auth_signs_total);
- for(uint16_t k=0; k<l_token_item->auth_signs_total;k++){
- dap_sign_get_pkey_hash(l_token_item->auth_signs[k],&l_token_item->auth_signs_pkey_hash[k]);
+ for(uint16_t k=0; k<l_token_item->auth_signs_total;k++){
+ dap_sign_get_pkey_hash(l_token_item->auth_signs[k],&l_token_item->auth_signs_pkey_hash[k]);
+ }
+ log_it(L_NOTICE, "Simple token %s added (total_supply = %.1llf total_signs_valid=%hu signs_total=%hu type=DAP_CHAIN_DATUM_TOKEN_PRIVATE )",
+ a_token->ticker, dap_chain_datoshi_to_coins(a_token->header_private.total_supply),
+ a_token->header_private.signs_valid, a_token->header_private.signs_total);
}
- log_it(L_NOTICE, "Simple token %s added (total_supply = %.1llf total_signs_valid=%hu signs_total=%hu type=DAP_CHAIN_DATUM_TOKEN_PRIVATE )",
- a_token->ticker, dap_chain_datoshi_to_coins(a_token->header_private.total_supply),
- a_token->header_private.signs_valid, a_token->header_private.signs_total);
break;
}
diff --git a/modules/common/dap_chain_datum_token.c b/modules/common/dap_chain_datum_token.c
index 91f2f0cc5d..7e62c3b115 100644
--- a/modules/common/dap_chain_datum_token.c
+++ b/modules/common/dap_chain_datum_token.c
@@ -202,11 +202,11 @@ dap_sign_t ** dap_chain_datum_token_simple_signs_parse(dap_chain_datum_token_t *
size_t l_sign_size = dap_sign_get_size(l_sign);
if(!l_sign_size ){
log_it(L_WARNING,"Corrupted signature: size is zero");
- break;
+ goto err;
}
- if(l_sign_size> (UINT32_MAX-l_offset ) ){
+ if(l_sign_size> (a_datum_token_size-l_offset ) ){
log_it(L_WARNING,"Corrupted signature: size %zd is too big", l_sign_size);
- break;
+ goto err;
}
l_ret[n] = l_sign;
n++;
@@ -214,4 +214,10 @@ dap_sign_t ** dap_chain_datum_token_simple_signs_parse(dap_chain_datum_token_t *
l_offset += l_sign_size;
}
return l_ret;
+err:
+ *a_signs_total = 0;
+ if(l_ret)
+ DAP_DELETE(l_ret);
+ return NULL;
+
}
--
GitLab